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Using Our Past to Secure Your Future. 


Who is this guy? 

Ruben Santamarta 

Security Researcher at lOActive 
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What is this talk about? 

• Reverse Engineering 

• Industrial Devices 

• Backdoors 

What is this talk NOT about? 

•FUD 

• Opinions 




When the context matters... 
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A decade ago... 


Present day 


security co 


security context 
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HUNTING FOR BACKDOORS 
What do we usually need? 


• IDA + Tools 

• Firmware/Software 

• Documentation 

• Target device (optional) 

• Time 
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AVERY BASIC EXAMPLE 

Samsung Data Management Server vulnerable to SQLi (HVAC) 

http://www.us-cert.gov/control_systems/pdf/ICSA-ll-069-01.pdf 








5 Minutes later... re mote root shell 
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using Tscape , Telnet; 
using System; 
using System.10; 
using System.Text; 
using System.Threading; 
using System. Windows.Forms; 
namespace DMSUpdaterPlus 

{ 

internal class TelnetRunner 


{ 


private const string username = 
private const string password = 

private const string licenseKey = " I einet ractory for .NET:Single Developer: Registered] 
private string _receiveLoginData; 
private string _defaultFolder; 
private string hostname; 
private int port = 23; 
private Telnet telnet; 
private TelnetScript script; 

public TelnetRunner(string def aultFolder., string serverlPAddress),.. 
public void C b ec kPMS'Vers ion () ... 
public bool DHSUpdaterStartScript Q 


} 

L } 


public boo 1 DflSUpdaterEndSc r ipt () 

public void OnDontOption (object sender^ TelnetDontOptionEventArgs args)... 
public void OnDoOption (object sender., TelnetDoOptionEventArgs args)... 
public void OnWontOption (object sender j, TelnetWontOptionEventArgs args) 
public void OnWillOption (object sender., TelnetWillQptionEventArgs args' 
public void OnConnected (object sender., TelnetConnectedEventArgs args) 
public void OnDisconnected (object sender., TelnetDisconnectedEventArgs args) ... 
public void OnDataReceived (object sender^ TelnetDataReceivedEventArgs args) 
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Igor Skochinsky - Intro to embedded reverse engineering for 
PC reversers (Recon 2010) ^ 







0x0S2a4e00—0x002a5000 6.579724: 100 
0x0@2a5000—0x002a5200 6.435930: 100 
0x002a5200-0x002a5400 6.565660: 100 
0x002a5400—0x002a5600 6.562761: 100 
0x002a5600—0x002a5800 6.545161: 100 
0x002a5800—0x002a5a00 6.475664: 100 
0x002a5o00—0x002a5c00 6.003570: 100 
0x002a5c00—0x002a5e00 6.435573: 100 
0x002a5e00-0x002a6000 6.607118: 100 
0x002a6000—0x002a6200 6.619943: 100 
0x002a6200—0x002a6400 6.714526: 100 
0x082a6400-0x002a6600 6.542306: 100 
0x002a6600-0x002a6800 6.639181: 100 
0x002a6300—0x002a6a00 6.639415: 100 
0x002a6a00-0x002a6c00 6.512706: 10G 
0x002a6c00—0x002a6e00 6.753101: 100 
0x002a6e00—0x002a7000 6.726647: 100 
0x002a7000-0x002a7200 6.711976: 100 
0x002a7200—0x002a7400 6.514506: 100; 
0x002a 7400-0X002 q 760O 6.693197: 100 
0x002a7600-0x002a7800 6.627968: 100 



















































I Active 

Using Our Past to Secure Your Future. 


00 

00 

00 

00 

65 

78 

65 

63 

66 

66 

00 

5B 

2D 

77 

20 

74 

74 

68 

3E 

5D 

5D 

0A 

20 

20 

64 

69 

73 

6B 

20 

6C 

65 

6E 

64 

20 

6C 

69 

6E 

65 

22 

5D 

63 

75 

74 

65 

20 

4C 

69 

6E 

69 

74 

20 

74 

69 

6D 

65 

6F 

6E 

65 

6C 

20 

63 

6F 

6D 

6D 

69 

73 

6B 

5F 

73 

69 

7A 

65 

61 

72 

74 

69 

6E 

67 

20 

61 

20 

75 

73 

65 

20 

22 

2D 

62 

6E 

64 

20 

6C 

65 

6E 

67 

74 

73 

74 

61 

6E 

64 

61 

72 

64 

65 

63 

75 

74 

69 

6F 

6E 

20 

65 

63 

6F 

6E 

64 

73 

0A 

00 


7 . . . 4 . . pS.T . . #. . .3.P.exec 

....Execute an image - with MMU off. [-w t 
imeout] [-b -=:Load addr^ [-L <Lengths]]. 

[-r <ramdisk addr>- [-s -^ramdisk Len 
gth^-] ] . [-c "kernel command line"] 

[<entry_point>-].Can 't execute Lin 

ux - invalid entry address.wait timeo 

ut....base address .... Length..kerneL comm 

and Line.ramdisk_addr....ramdisk_size 

....swap endianess.. [physicaL] starting a 

ddress.Base address unknown - use "-b 

" option..Using base address and Lengt 

h .Length required for non-standard 

base address...About to start execution 
at ^ - abort with A C within 33d seconds.. 
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Basic approach 


• Identify compressed blobs 

• Binwalk, entropy zones, header information... 

• Rebase 

• 'Load immediate 1 instructions 

• Switch statements -Jumptables 

• Boot loader, headers... 

• Detect functions 

• Prolog Patterns 

• Rebuild symbols 

• VxWorks Symbol table 

• Libc identification / Manually 

• Look for well-structured patterns 


Jft 4 m TM 
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SIEMENS SCALANCE X200 



Demo time! 

1. - VxWorks - ARM 

2. - Reconstruct Symbols 

3. - Undocumented debug account 

debug:ELSdebug 

4. - Embedded Webserver 
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Symbols 
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VxWorks WindWeb 



Pagepack 


WindWeb 
+ VxWorks 


compiler 



firmware 
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Demo time! 

1. - Custom Redboot - LZO 

2. - Reconstruct Partial Symbols 

3. - Decompress ramdisk 

4. - Emulate binaries by using qemu 
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Emulate binaries 

• Enlarge your...ramdisk 

• We need to copy qemu-arm binary so.. 

• Create a new one with a larger size (mknod+mkfs+mount) 

• Copy original ramdisk into the new one 

• Umount + dd = suitable ramdisk for emulating binaries 

• Setup cross-compile environment 

• Compile qemu (static) to support user-mode emulation 

• Enable additional executable formats in the kernel (binfmt) 

• Copy ramdisk '/lib' to '/usr/gnemul/qemu-src' 

• Mount new 'ramdisk', copy qemu-{arch} and chroot it 

• qemu-{arch} -g (remote gdb) 

•Enjoy! % 



///////////////////////////// 
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Schneider - Powerlogic ION Smart Meters 



Documentation 
Firmware Backdoor 
Software Backdoor 
Remote access 

Confidential documents exposed 


[OK] 

[OK] 

[OK] 

[OK] 

[OK] 
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• Revenue Smart Meters - Locked from factory 

• Regular Login -> basic functionality 

• Factory Login 


Factory access is restricted to Schneider Electric Technical Support, and should 
only be enabled when requested by Schneider Electric authorized personnel. 





///////////////////////////// 


Reversing the firmware 
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From SRECORD to Binary 


PML: Fri Mar 23 11:45;52 2007 

PML: Device = 7550 

PML: Firmware Version = 7550V331 

PML: TriggerTime = 50000 

PML: CRCTime = 30000 

CRC16: 0x3cec, 0xff300000, 0xff30c71e 

S0060000434452IB 

5355 F F 3 000 00380 00000 3 D60 F F 7533 2 B000 03 DA0 F F 7133AD913 C 3C4 0F F413 B42C920 330 
S355FF3000503CG08000338000808001000C7C0B03A638210008480035K3421FFF07C0 
S 355 F F 3 000A093C1000893 E10 00C90 0100143 BE 2 3 010 3 F F F00407FFEFB734EFFFF7D315 


• Rebase 



tr!2, uakJTMcSMeh 
m2, m2, lulJTiOcfiiHM 


• Detect functions 

• Rebuild symbols - no symbol table but... 


ft ROM; 


MX! 


4 + p 


00000030 



inflate 1.1.3 Copyright 1995-1998 Mark Adler 

mallcheck: fatal error; malloc list is corrupted\n 








///////////////////////////// 


Rebuild symbols by matching c to assembly 
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/* Implemen tation module : Malloc. c 

Copyright 1989 Dieb Data AB, Sweden 
Description i 

ImplementIon of libc functions 

void *Malloc(slze_t size) 

void *calloc(size_t nmemb, size _t size) 

void Free(void *ptr) 

int mall opt (intt int) 

struct malllnfo mallinfoO 


lction name 


_ST(_05_m alloc 

STI IS malloc 


_insert 

_malloc 

_malloc_eheck_fn 

_mailopt_fix 

c alloc 
free 

getjmare 
inflate 
mall ini* 


malloc 


Segment 

ROM 

ROM 

ROM 

ROM 

ROM 

ROM 

ROM 

ROM 

ROM 

ROM 

ROM 

ROM 

ROM 


ROM 


FF40380C 

FF40388Q 

FF403F04 

FF4049E0 

FF403A1S 

FF403C00 

FF4038A4 

FF403B3C 

FF4G3EA8 

FF4040B8 

FF403A3C 

FF40Q5GC 

FF403964 


FF403E48 


Length 

00000074 
00000024 
000001B4 
00000024 
00000024 
00000248 
ooooooco 

000000C4 

0000005C 

00000050 

00000100 

00000568 

OOOOOOB4 




60 
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Image -> Boot Loader + Compressed OS 



addi Ir3, lap, o*40+var_4O 

li Vr4, 2 

bl inflate 

005BF8 FF FF FF FF 
005C19 FF FF FF FF 
005C23 FF FF FF FF 

FF FF FF FF 
FF FF FF FF 
FF FF FF FF 

FF FF FF FF 
FF FF FF FF 
78 DA AC BD 

FF FF FF FF 
FF FF FF FF 
0D 78 54 D5 

FF FF FF FF 
FF FF FF FF 
65 37 BE E7 

FF FF FF FF 
FF FF FF FF 
23 98 E0 70 


loc- FF40024C: 

Bddl 

Ic3, %Ep P Dx40Tvar 40 

bl 

BUb FF400310 

bl 

BUb _FF4 0 3 6B4 

ba 

c >. r ' ~ h c c r. c c # eat ry pax at 

# Rod 

of function EUb_FF40 01T4 


Extracted file -> Decompressed Smart Meter OS 


pjyy .: F F B 000 00 
ROM: FFB00000 

lo-C_FF0OOOOO: 


t DATA XELEF: Bllb_FF0 2 0 2 Ffr+3 410 
t Bllb FF0 2 0 2FQ+3 0 |D . . . 

ROH:FFBOOOOO 


lie 

irll„ -OKFDF t DIFD2D022D 

ROH:FFB0"0004 


addi 

lap, irll, -0x7 DEO t OIFO2O022O 

ROM:FFBOOOOB 


lie 

irl3, -0*FFD # 0XF0037EZ0 

R0M:FFBOOOOC 


addi 

irl3, irl3, 0X7E20 t 0IFOO37E2O 

RO>C: FFBDODID 


iia 

irtoc, ((byte FFA79B4 0+0 *10000 ) £b) 

ROH:FFBOGf]14 


addi 

trtoe, trtoc, -016400 t byte FFA79B40 

ROM:FFBOOD1B 


ii 

irO, 0 

ROM: FFBOOOiC 


BtVFU 

iro> -o*40 (i epi 

ROM: FFBOOOSO 


bl 

eub FFA6AE2C 

R0M:FFBOflO24 


b 

BUb_FFA6 9150 

ROM: F F B 00 0 Z B 

t - 



ROM: F F B 0 0 0 Z B 


bl 

BUb_FF0OOOCC 



AMX PPC32 Kernel 
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Sure,a backdoor password. Ok. Wait... what ?! 


■vl ROM:FF92E... 00000022 C Setting backdoor password to: %u\n 


dLlill *r3 P tr3l P Cl 

csp«i 4r3 , oie ^ Serial len ? 

Hue ioc_FF924CBB 

lie ir26„ -OkFDF * QxFOZOBbCE 

3 ilill tr26„ 'il-Zbr -0*7932 t O 1 FOZOB 6 CE 

addi ir3 , 'ii2b f O 

addi ir4 P lr31 P 0 

li ir5 P OiF 

bl atracpy * r3 buffer | r4 eerie! | r5 length 

11b lr3, ((B5_lfi+Oi IOOOO )@h) t “ta\n" 

addi *r3 P *r3 P -Oxl3SB t aS_16 

addi ir4 P 4r26 P 0 

bl print f 

addi ir3 F ir31 P O 

bl generata_paaBword 

bl SUb_FF9C6B7B 

bl BUb_FF9C6B6C 

addi ir4 r ir3 P 0 

lie ir3„ i i aSettiDgBackdoo’OJdOOOO J # Setting backdoor paaaword bo: t u\u' 

addi ir3„ ir3 P -Oxl357 t aSettingBackdoo 

bl priatf 


Serial#: HI -0 S-01 
login: 


Serial =- OxE bytes 








ge ue rat e p-a b sword = 


. Bet 
. Bet 
. Bet 
. Bet 
. Bet 

sflr 

eddi 

atwu 

li 

BtW 

BtW 

BtW 

BtW 

BtW 

eddi 

li 

bl 

llB 

eddi 

eddi 

bl 

iwz 

stir 

eddi 

blr 


I'D r -DXlti 

"c p - □ KC 

„ -B 
-4 

_4 P 4 


*r0 
*r4 r 
*Gj| r 
*r3, 

*r0 P 
*r3 p 
*r3 p 
*r3 p 
*r3 p 
*r3 p 
*r5 p 
BtrELO 
*r3 p 
lr3 P lr3p 
‘4 t' 4 VLBPp 


lr3p O 
-DxlB (I Bp) 

D 

n x l B+a rg_4 ( 1 ap ) 

€i1B+va r_4 (lap! 

Da1B+va r_B (1 ap J 
Da1B+va r_C (lap! 

Da 1 B-*va r_lD ( 4 ap) 
lsp P DalB+var_lD 
Da ID 

r3 buffer 
0b #_ 

_P1 * 

OalB+var ID 



I Jf4 


seed 


see 



r5 langth 


coraput e_ba b b 

irDp DalB+arg_4 ( t ap) 

*r0 

IEPf %BPp DalB 






c g-:t.j>u t o_h.as ti : 
.set v ar 4 , -4 


t CODE XBEF: qanaratfl tmbbwol' J-3C1P 


V U 

four Future. 


ioc FF9B039C: 


s twu 

%sp ,| 

-o*io < %ep j 

U 

Irl2, 

Oz IB 

r.tctr 

StH 

trl2 

lr31, 

OxlO-i^var 4 (t ap-) 

ivz 

ir31 r 

0(tr3) 

lvrz 

ir5 , 

o (in j 

Ivz 

lr6 r 

OzC( fcr4J 

Ivz 

irl , 

B(in) 

Ivz 

ir3 i* 

4(tr3) 

lie 

irB , 

-OZ61A9 t OX3E5779B9 

Ivz 

't f 4 r 

i(iri) 

li 

*r9 , 

o 

ori 

*rB r 

4rB, 0x79B9 * OX9E577 

a lLlI 

*r9 r 

4 CODE XRE 

%r9, %rB 

alvl 

trll, 

tr3 p 4 

add. 

trll F 

mi, ir5 

a titl 

IrlO , 

ir3, *r9 

srvi 

*r!2 r 

fcr3, 5 

xor 

trllp 

mi, mo 

add, 

in z r 

lr!2 r 

xor 

lrll F 

irll, lrl2 

add 

ir3l p 

*r31, irll 

alvi 

irlOp 

ir31„ 4 

add 

trio, 

fcrlOp %rT 

add 

%r!2 F 

ir31 r %sr9 

E i'Wi 

tfll r 

tr31 P 5 

zor 

*rlO, 

IMO, Mr 12 

add 

trll, 

trllp Mr6 

zor 

4 no. 

trlO, irll 

a d. d. 

lr3 , 

lr3, irio 

hdoz 

loo FF9BB39C 

11h 

m 2 , 

OZ5F5 # OZ5F5E100 

ori 

trl2 r 

Mr 12 , -OzlFDO # Ox5F 

dawn 

trO r 

lr31 f trl2 

sullv 

%rOp 

trO, trl2 

SlJjji 

ir3 , 

MrO , ir31 

Ivz 

lr31p 

O z lO+ra r_4 ( M ap) 

adda 

hlr 

fcap. 

lap, 0 z10 


c-or.pu t«_h.a ah+7 B J. j 


unsigned int generateBackdoorPwdCchar* szMagic, char* sz&erial) 

i 


unsigned int v5; 
unsigned int v6; 
unsigned int v7,v£; 
unsigned int al,o2,a3,a4; 
unsigned int password; 

int i; 


v7 = 0; 

v6 = *(unsigned int *)szMagic; 
v5 = *(unsigned int ‘XszMagic 


al 

aZ 

a3 

a4 


4 ); 


_ * 


♦(unsigned int *)(szSerial -i- 4); 
♦(unsigned int *)(szSeriol); 
♦(unsigned int *)(szSerial +- 0xQ; 
’(unsigned int *)(szSerial +- 8); 


v8 = 0X9E5779B9; 
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for( i = 27; i > 0; — i) 

{ 

v7 += v8; 

v6 += (al + (v5 » 5)) ^ (v7 + v5) A (a2 + 16 * v5); 
v5 4= (a3 + (v6 » 5)) A (v? + v6) A (o4 + 16 * v6); 

> 

password = v6 % 0X5F5E100; 
return password; 
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Schneider decided to implement a backdoor but ...why? 


First step was taking a look at IONSetup.exe 


It turns out there is a backdoor also in the software.:) 
Demo time! ,\ 


Address 

Length 

Type 

String ' 

■ .data:007E... 

00000035 

C 

Logged in at user level. Attempting factory access. 

.data:007E... 

00000007 

c 

Login\n 

.data:007E... 

0000000E 

c 

Factory Login 

■ dala:007E... 

0000000E 

c 

Factory Login 

M data:007E... 

00000003 

c 

pml1338\n j 

" ■" .data:007E... 

00000012 

c 

Factory Password: 

,data:007E... 

00000005 

c 

%ld\n 

.data: 007E... 

00000017 

c 

Factory Access Granted 

data: 007E... 

00000020 

c 

Unable to access factory level. 

■ .data:007E... 

00000021 

c 

No response to sending password. 

,data:007E... 

00000023 

c 

No response to sending factory password. 

,data:007E... 

00000027 

c 

Unable to obtain factory login prompt. 

"■■■■" ,data:007E... 

0000002G 

c 

No response to factory login request. 

"■■■■" data:007E... 

00000036 

c 

Logged in at factory level. Switching to debug mode. 
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Then I googled 'pmll998' and... 

• First result was an open ftp server containing 
confidential documentation from the vendor 

• Some of those documents were detailing the 
backdoor functionality 
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1. ICS-CERT and Schneider were informed. 

2. After few hours, the ftp was closed and Google removed 
it from the cache as well. 

3. Schneider acknowledged the backdoor. 

4. A new set of firmwares is ready and some of them are 
being already deployed. 


5. Forever - DAY. 
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CONCLUSIONS 


1.1 hope someone can use this info to better secure their 
devices. 

2.1 hope someone can use this info to research into other 
devices. 

3.1 hope someday both of them share that research 
somewhere :) 
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Thank you so much for coming...have fun! 


rubens (at) ioactive (dot) com 


@reversemode 
























